Shortcomings of a Readymade DLP Solution - nullcon

esophagusbunnyManagement

Nov 20, 2013 (3 years and 11 months ago)

64 views

Deepak Rout


Nullcon (
Dwitiya
)

Goa

26

Feb 2011

Agenda




Data Leakage Prevention …a new paradigm



IBA instead of RBA …turning ‘The Standard’ around



What’s in store for us!



Q & A

Shortcomings of a Readymade DLP Solution


Very high false positives


Long gestation period


Data Leakage due to the DLP solution


Several data leakage avenues left out


Mass storage devices


Unmonitored Internet access


Uncontrolled Exception Management


Too many Admins/Super
-
Users


Differing Legal/Regulatory provisions
-

Globally


Result:

Unintentional data loss gets detected, while planned Data Theft or
Corporate Espionage agent remains a step ahead of DLP policies.

Data Leakage Preventions
-

Essentials


Business/Management Concerns on Security of Data


Statutory and Regulatory Imperatives


Contracts and Agreements


Data Protection
-

a Security Manager’s KPI


Avoiding the Silver Bullet Syndrome


Holistic & Proactive Data Protection Framework

Holistic Approach to Reduce Data Leakage


Closing data leak channels not required for business


Proactively monitoring channels required to be opened for business



Focus on known/suspected leak channels


Adhering to ‘need to know’


Controlling leakage by authorized users (e.g. End point solution)


Controlling leakage to unauthorized users (e.g. Rights management)


Using technology as well as process controls


Phased deployment approach


Strong management intent and business involvement


Educating users on DLP program and consequences of violation


Effective Consequence Management and exemplary treatment


Doing PDCA, if a DLP solution is deployed


Knowing limitations of DLP controls/tools, brief management to accept risk


Accepting that even after all controls, data leak incidents may happen:


Capability to audit user actions


Tools to investigate data leak incidents

Suggested Data Leakage Prevention Framework

DLP
-

Do Not & Do

Do Not


As a remedial measure in the aftermath of a particularly nasty incident


Business doing well &security gets to push through security investment


Getting entangled with a silver bullet DLP solution


Pure selling by DLP solution providers


As a mail filtering mechanism

Do


Deploy a comprehensive set of DLP technologies and processes as a risk mitigation measure
which emerges from a systematic Risk Assessment based on business and security objectives


Data

Loss Channels

Internet

Mass Storage Devices (USBs, SD

Cards
)

Employee Laptops

Vendor Laptops

Hand
-
held Devices

E
-
Mail & MS Office
Communicator

Hard Copy Prints

Sensitive areas like Board Room

Internal Portals

Recommended

Solutions

Detect unauthorized

admin access
on Mail infrastructure

Data

Loss detection capability for Email traffic

Logging of

Office Communicator

Data

Loss detection capability for Internet traffic

Prevent attachment download to handheld devices

Consolidate Internet access
and put upload restrictions

Rights

Management Solution

Disable Mass Storage (USB, SD Cards etc) and unnecessary services
(file & print sharing, Bluetooth, FTP etc)

Secure end user systems and revoke administrative rights

Encrypt Laptops

Secure Printing

Agenda




Data Leakage Prevention …a new paradigm



IBA instead of RBA …turning ‘The Standard’ around



What’s in store for us!



Q & A

IBA instead of RBA for EIS



'Risk Based Approach' (RBA)
-

PDCA approach of identifying & mitigating risks



'Incident based approach' (IBA) is an alternate to RBA
-

PDCA cycle based on
incident prevention



On occurrence follow steps
-

Triage, Investigate, CAPA, RCA, Implement



Digital Forensics play a anchoring role in all stages:



Triage
-

Preserve incident parameters



Investigation, CAPA & RCA
-

Diagnostics & Analysis



Prevention
-

Designing Enterprise Controls

Typical Chronology of Digital Investigation....1

1.
Prepare a clean destination hard drive:

-

Difficult to distinguish between old data and new

-

Suspect can claim that incriminating evidence was planted

-

Specialised tools to wipe off past data (e.g.
DriveWiper

Voom
)

-

Also generates reports to demonstrate that hard disk is clean


2.
Digitally image data from suspect system to target drive:

-

Bit
-
by
-
bit clone of original hard drive using specialized tools

-

Includes all files (OS, deleted, encrypted, password protected & hidden)

-

Data hidden surreptitiously within other files is also retrieved

-

OS independent tools, do not require a dedicated drive

-

Rapid imaging

-

Original hard drive is then sealed

ACQUIRE

Typical Chronology of a Digital Investigation....2

3.
Fingerprint:

-

To ensure
that data copied from source drive to cloned drive is the same

-

Unique fingerprint created for each hard drive (hashing)

-

Suspect hard drive is seized along with hash value, known to suspect

-

Same hash value demonstrated on seized drive


4.
W
rite
-
protect data:

-

U
sing write
-
protect bridges

-

Then onwards, the drive can only be read but not written to

-

Guarantees purity of evidence



5.

Analyse/Investigate:


-

S
pecialised

tools to scan hard drive and classify files as per category (encrypted files,
password protected files, misnamed files, image files, compressed files etc).

-

Password
-
cracking tools are used on password
-
protected files

-
Steganography

(camouflaging files within another file) can be countered with tools
conforming to judicial and evidential requirements (analysed for hidden messages)

AUTHENTICATE

ANALYSE

Enterprise Capability Model for Digital Forensics



Highly developed internal capability not desirable



Minimum & potent internal capability (imaging, packet capture, logging etc)



Advanced capabilities on
-
demand (image analysis, link analysis, heuristics etc):



As appropriate for specific industry



Pre
-
configured per management/regulatory requirement



Pre
-
negotiated & with SLA



RoI

& industry considerations for configuring model



Optimum model
-

limited internal & bulk outsourced capability




After Forensics, What???

A View of the Future!!!



New criminal business models & malware sophistication:

Criminal organizations worldwide are increasingly migrating business models online.
Complexity of threats will increase & digital crimes will be more.




The problem will not disappear:


Criminals online activities will continue to be hosted in distributed servers worldwide.




New targets:


Newer attack methodologies including targeting of SCADA systems that control key
infrastructure and economy sectors (petrol, gas, electricity, water, nuclear etc).




Economic impact.


World economy’s relationship with online services is so strong that any failure could lead to
complete chaos. Criminals know this and will take full advantage of it.




Ubiquitous Malware.


Citizens will continue to depend on technology and ubiquitous online services (mobiles, PDA,
laptops, 3G etc). We will see more attacks targeting these technologies.

It’s a very profitable business; returns exceed stock markets (3 digit growth)…

Security will be in Business!

Q&A

rout.deepak@gmail.com

0
-
95821
-
58042